Watching the watchers —

How much do Google and Facebook profit from your data?

New privacy monitor tries to put a price tag on your privacy.

Savvy Internet users know that all the great stuff they get from the Internet for "free"—the searches, the social networks, the games, even the news—isn't really free. It's an exchange, where companies are able to take user data, sell it to advertisers, and make money that allows them to give themselves a paycheck while keeping you afloat in free digital services.

So that data you're giving away online is worth something, but have you ever taken a stab at figuring out how much? A just-released privacy add-on for Firefox and Chrome, Privacyfix, gives it the old college try. Both Congress and the executive branch have been talking more about online privacy in the past couple years.

The estimates for Google and Facebook are imprecise, as the program's creator, Privacy Choice founder Jim Brock, readily admits. "We wanted people to understand, it is a value exchange" when they use these sites, said Brock.

Privacyfix measures your last 60 days of activity on Google, extrapolates that to a year, and uses a value-per-search estimate. Analysts believed Google was making $14.70 per 1,000 searches in 2010, and possibly less in 2011. Of course, if you spend all your time searching for luxury hotels or mesothelioma lawyers—and then clicking through the advertised links—you're much more valuable than the average user.

Brock says his estimated annual Facebook value was a mere $1.68. His daughter, perhaps unsurprisingly, is at $12. His Google value checks in at more than $700 per year, though.

The add-on also tells you how many of the websites you visit feed data back to Facebook and Google. I was surprised to see that Facebook is tracking me across 87 percent of the Internet, despite the fact that I'm a minimal user of Facebook.

Privacyfix has a checklist for Facebook privacy settings, with orange warning signs near settings that users might want to take a look at. Unless you're a complete privacy hawk already—or you don't care at all—you'll probably find something new on that list that you weren't aware of. Did you know Facebook automatically shares your profile info when you visit certain sites? Did you know your profile details are sometimes shared not just with your friends, but often with the makers of your friends' apps?

Privacyfix also gives you a heads-up on things you should be doing anyhow, like deleting Facebook apps you no longer use so that they stop gathering data. The add-on links you directly to those Facebook settings so you can fix them immediately, navigating you through a maze of privacy options some find arcane; it has a similar function for Google. "I haven't had anyone go through this process who was not surprised by something [they saw]," said Brock.

While it isn't Brock's intention that all users should tightly clamp down their privacy controls, that's what most of the users of Privacyfix have chosen to do so far, he said. Future plans include similar privacy controls for Twitter and LinkedIn, as well as a mobile app.

There are several addons that prevent your browser from forwarding information to Facebook and Google Analytics if you desire greater privacy.

It's my default mode for browsing, even if I'm currently allowing ads (and as I am magnanimous, I have an exception that always allows Google's text ads even if I'm prohibiting the rest).

This does provide some interesting insight, however. Specifically on why Facebook's stock is basically worthless. If Google is deriving ~$700 from each user and we assume that Brock's daughter hews closer to the mean, Facebook is deriving ~$12 from each user, then it's clear that Google is beating the pants off Facebook in monetizing users. It also provides a pretty clear indication that Google has a revenue stream that opponents in the technological space are simply not going to be able to match or effectively counter.

I'm fine with Google using my information however they want. I'm using their services for FREE! They are offering a great service for free. Free video streaming too. Free RSS reader. There is so much free stuff I use from google.

Skimming the Subject of an e-mail for data only used for THAT PERSON should be fair-game, but gathering data from the e-mail body is ethically wrong.

Specifically on why Facebook's stock is basically worthless. If Google is deriving ~$700 from each user and we assume that Brock's daughter hews closer to the mean, Facebook is deriving ~$12 from each user, then it's clear that Google is beating the pants off Facebook in monetizing users.

There's a very simple reason why this would be the case. When you search for something in Google; you are actively saying "I want something like this" whereas Facebook ads are more ambient (for want of a better word); they're just there, like TV ads, regardless of what you're doing. Obviously placing ads where likely buyers are looking are more likely to be successful, so they are more valuable.

Specifically on why Facebook's stock is basically worthless. If Google is deriving ~$700 from each user and we assume that Brock's daughter hews closer to the mean, Facebook is deriving ~$12 from each user, then it's clear that Google is beating the pants off Facebook in monetizing users.

Facebook has 1 billion active users. If they're worth on average $12 each to Facebook, that is still $12B/year in revenue. Big if, though.

FB makes $0.50 off me a year.Google gets about $400. Of course, some of that is direct payment for cloud services, but I don't know if they take that into account.

I use browser add-ons that block ads and disable tracking scripts. Ars Technica has ten trackers on it, by the way. I can't remember the last time I clicked on a website ad. Perhaps it was in the 90s. If somebody's paying for my information, they're not getting their money's worth. Are these business models based on ads and data mining really sustainable?

There is a vast difference between selling the right to show me ads because I meet a target demographic, and selling personal information about me. I have absolutely no problem with the former and encourage it. If Google can predict that I am going to want a book and sell it to me before I know it exists, awesome. Facebook selling my personal info to a potential employer or spammer? That is very much not cool.

I think we need to separate out different privacy leaks. Not all are created equal.

"While it isn't Brock's intention that all users should tightly clamp down their privacy controls, that's what most of the users of Privacyfix have chosen to do so far, he said."

How does he know that? Having his add on phone home would be the height of hypocrisy.

No; having it phone home without disclosing this and in particular having that information stored with identifying characteristics would be hypocritical. Simple global counters don't imperil privacy.

And in fact at the end of the PrivacyFix process is an optional quick survey which asks for exactly this info, so that's probably what he's quoting. I chose to complete the survey - I can see the value that responses have for them in encouraging their efforts and even if it did leak I can't see that it's nearly so bad as the privacy leaks it stoppered for me (and as promised I was surprised by some of the curly little Facebook options)

There is a vast difference between selling the right to show me ads because I meet a target demographic, and selling personal information about me.

Absolutely right. Reckless quotes like this one always make me a little cranky:

Quote:

the searches, the social networks, the games, even the news—[are not] really free. It's an exchange, where companies are able to take user data, sell it to advertisers, and make money that allows them to give themselves a paycheck while keeping you afloat in free digital services.

That's how I always understood things at least. By getting some algorithmic idea of what ads might be relevant to me google does two things: makes their adspace more valuable to advertisers and cuts down on the amount of irrelevant ads I see. The alternative is the "blanket them all with everything" spam approach that was the norm prior to targeted ads. I see it as a win-win really. I get less junk (stuff not available in my area, stuff I'll never buy, etc) and people advertising products and services waste less money spamming people who are not potential customers.

On top of that I get free valuable services that can only be developed and supported with sufficient ad revenue. I look at how so many ad-based free sites and services are struggling and approve of non-intrusive ways of making ads work for both sellers of "stuff" and the content I would like to have without a subscription fee.

From what I gather, Facebook tends to do it differently and their apps give sellers access to my data instead of just identifying what may apply to me so that Facebook can sell more valuable adspace. This is the main reason I block Facebook apps but not Google ads.

Either way, I still appreciate tools that let the user see what info is collected and where it is sent. In the end it should be up to the user to decide what they are comfortable with and whether the consider the free service worth the kind of data the site is collecting and how it is used.

In its zeal to reduce privacy considerations to a laundry-list of issues that can simply be "fixed," it eliminates distinctions between issues of wildly different exposure and concern. For example, having ad-network cookies on my machine is not the same level of exposure as having some Facebook app dump my profile to a third-party server over which I'll never have control again. As a result, this tool comes off as a bit reactionary.

One technical oversight — it should be able to identify that a Google Apps account has web search history permanently disabled. It lists this condition as something that should be fixed, which takes you to the Google account page explanation of why it can't be turned off (because it's off and can't be turned on). I wonder what other conditions default to an alert state when favorable errors are encountered.

A bit of clarification on how it works — this tool doesn't just help you set your browser and account settings, and it is not a simple assessment; it's an active component that expects you to leave it installed and remain signed in to all your applicable accounts. Some things it can't fix just by changing your preferences, so it must monitor your web activity to do things like disable Facebook widgets in third-party pages. Some users might be more concerned with performance than with marginal improvements to privacy.

If this plugin had a basement, I wouldn't be surprised to find it stocked with guns, gold bullion, and canned goods. I get why people are concerned, and they're right to be. It's important to maintain pressure on site operators to consider user privacy concerns. Whether tools like this help do that, I'm not sure. I read a lot of spite and resentment into this kind of oversimplified "OMG someone makes money off you being on the Internet, strike back!" approach. It would seem like education should be the primary goal, but the educational component is buried in terse help-bubble comments. Instead, the thing wants you to just make everything green. What does that gain?

I would happily pay Facebook $10-15 a year for an ad-free experience. The problem with Facebook is the smart people have to spend as much time thinking about how to monetize things as they do actually making a great social service. I think it could be a lot better if we just paid them to make a great social service.

I would think companies like Amazon or AT&T (among many others) pose just as much a threat as Google or Facebook. Targeted advertising isn't really much of a threat - it's what could be done with that data by the unscrupulous (include later employees of the company after falling on bad times). Lots of companies have lots of data even if they aren't using it to sell advertising. Is Apple or Nokia having all your map searches better than Google having them just because Apple and Nokia are not selling targeted ads?

In this example, this new app "Privacyfix" showed that FB's monetization is on a much smaller scale than that of Google. ($1.68 versus $700 annually) These are calculated estimates though.

I don't think this app really demonstrates that--it's more likely that it's simply extrapolating from statistics released by facebook/google about their monetization rather than providing good forward-looking estimates.

@The article's author, it would be really awesome to get some more in-depth information about how those statistics are calculated. It gets access to my browsing history I assume, so I could see it being as simple as # of pageviews on facebook/google times average value per pageview. If it's something deeper than that, I think the breakdown of the calculation would be awesome to hear about.

I use browser add-ons that block ads and disable tracking scripts. Ars Technica has ten trackers on it, by the way. I can't remember the last time I clicked on a website ad. Perhaps it was in the 90s. If somebody's paying for my information, they're not getting their money's worth. Are these business models based on ads and data mining really sustainable?

Some of the ads just need to be seen for their value to be gained, not necessarily clicked on. For example, sometimes the objective is simply to create buzz or mindshare. Simply seeing the same product name or image in many places without anything more will create some sort of background recognition where you say "I've heard of that before" (as opposed to before, "I've never heard of that before").

I know that I've never clicked a link for Spotify, however between the posts on Facebook, the ads on the side of the pages I visit and some news articles I'm now familiar with the product. While the news articles had much to do with it, so does the constant bombardment of the name and logo.

In its zeal to reduce privacy considerations to a laundry-list of issues that can simply be "fixed," it eliminates distinctions between issues of wildly different exposure and concern. For example, having ad-network cookies on my machine is not the same level of exposure as having some Facebook app dump my profile to a third-party server over which I'll never have control again. As a result, this tool comes off as a bit reactionary.

One technical oversight — it should be able to identify that a Google Apps account has web search history permanently disabled. It lists this condition as something that should be fixed, which takes you to the Google account page explanation of why it can't be turned off (because it's off and can't be turned on). I wonder what other conditions default to an alert state when favorable errors are encountered.

A bit of clarification on how it works — this tool doesn't just help you set your browser and account settings, and it is not a simple assessment; it's an active component that expects you to leave it installed and remain signed in to all your applicable accounts. Some things it can't fix just by changing your preferences, so it must monitor your web activity to do things like disable Facebook widgets in third-party pages. Some users might be more concerned with performance than with marginal improvements to privacy.

If this plugin had a basement, I wouldn't be surprised to find it stocked with guns, gold bullion, and canned goods. I get why people are concerned, and they're right to be. It's important to maintain pressure on site operators to consider user privacy concerns. Whether tools like this help do that, I'm not sure. I read a lot of spite and resentment into this kind of oversimplified "OMG someone makes money off you being on the Internet, strike back!" approach. It would seem like education should be the primary goal, but the educational component is buried in terse help-bubble comments. Instead, the thing wants you to just make everything green. What does that gain?

I literally could not agree more, great post. It really does seem like "Oh no, look at all that red!"

In its zeal to reduce privacy considerations to a laundry-list of issues that can simply be "fixed," it eliminates distinctions between issues of wildly different exposure and concern. For example, having ad-network cookies on my machine is not the same level of exposure as having some Facebook app dump my profile to a third-party server over which I'll never have control again. As a result, this tool comes off as a bit reactionary.

One technical oversight — it should be able to identify that a Google Apps account has web search history permanently disabled. It lists this condition as something that should be fixed, which takes you to the Google account page explanation of why it can't be turned off (because it's off and can't be turned on). I wonder what other conditions default to an alert state when favorable errors are encountered.

A bit of clarification on how it works — this tool doesn't just help you set your browser and account settings, and it is not a simple assessment; it's an active component that expects you to leave it installed and remain signed in to all your applicable accounts. Some things it can't fix just by changing your preferences, so it must monitor your web activity to do things like disable Facebook widgets in third-party pages. Some users might be more concerned with performance than with marginal improvements to privacy.

If this plugin had a basement, I wouldn't be surprised to find it stocked with guns, gold bullion, and canned goods. I get why people are concerned, and they're right to be. It's important to maintain pressure on site operators to consider user privacy concerns. Whether tools like this help do that, I'm not sure. I read a lot of spite and resentment into this kind of oversimplified "OMG someone makes money off you being on the Internet, strike back!" approach. It would seem like education should be the primary goal, but the educational component is buried in terse help-bubble comments. Instead, the thing wants you to just make everything green. What does that gain?

Information and detail like this is what led me to keep coming back to ARS for over a decade. I'm just saddened that more and more I only see it in the comments, not in the article.

I was interested in going to their site and finding out more because the article made it seem like it was a program under my control that I ran, not a bodyguard app that I have to trust to carry my wallet and car keys.

In this example, this new app "Privacyfix" showed that FB's monetization is on a much smaller scale than that of Google. ($1.68 versus $700 annually) These are calculated estimates though.

I don't think this app really demonstrates that--it's more likely that it's simply extrapolating from statistics released by facebook/google about their monetization rather than providing good forward-looking estimates.

@The article's author, it would be really awesome to get some more in-depth information about how those statistics are calculated. It gets access to my browsing history I assume, so I could see it being as simple as # of pageviews on facebook/google times average value per pageview. If it's something deeper than that, I think the breakdown of the calculation would be awesome to hear about.

It is as simple as that, that's why it's just a rough estimate. Page views times average value per view for FB, and searches times average value per search for Google.

don't think it is working on my end...been sitting at the "Privacyfix is setting up." start-page for like 5-10 minutes...am using Chrome, flashblock plugin and Kaspersky Internet Security Suite (which tends to be rather brutal about trackers, today alone 1060 banners/trackers/web-beacons are blocked

don't think it is working on my end...been sitting at the "Privacyfix is setting up." start-page for like 5-10 minutes...am using Chrome, flashblock plugin and Kaspersky Internet Security Suite (which tends to be rather brutal about trackers, today alone 1060 banners/trackers/web-beacons are blocked

I'm using Firefox 15.0.1 and it's been at "Privacyfix is setting up" for maybe 1.5 hours (just got out of a meeting).

I'm not logged into facebook or google from this computer, but I was wondering what it would do anyway. Apparently it hangs at startup.

So my rendition of the events is that you need to be actually logged into facebook or google for this to work. This is not spelled out in the article or Privacyfix webpage. Nontheless, it should not just hang, it should give an error message stating that a facebook and/or google login was required.

Edit: Eh, it's hard to care about Facebook harvesting my data when they only make $0.06 a year on me. That's fair. Even Google's $5.68 a year is pretty fair, considering they probably broke even trying to pay for bandwidth. Guess I must be pretty close to free-riding already, minus the fact that I actually like web search history, so they could use that information to track me in theory.

I would happily pay Facebook $10-15 a year for an ad-free experience. The problem with Facebook is the smart people have to spend as much time thinking about how to monetize things as they do actually making a great social service. I think it could be a lot better if we just paid them to make a great social service.

The problem with Facebook is they keep resetting privacy choices without notice.